CVE-2026-62963

Centrifugal · Centrifugo

Centrifugo is vulnerable to data amplification via improper handling of highly compressed data, allowing for potential denial of service.

Executive summary

Centrifugo versions prior to 6.8.4 are susceptible to a data amplification vulnerability that could lead to significant system resource exhaustion.

Vulnerability

This vulnerability involves CWE-409, which is the improper handling of highly compressed data. An unauthenticated attacker can send specially crafted compressed payloads to the server, resulting in resource amplification that can crash the service.

Business impact

The exploitation of this vulnerability can result in a denial of service for the Centrifugo real-time messaging server. Given the CVSS score of 8.7, this flaw poses a high risk to business continuity, as the server may become unresponsive to legitimate traffic, disrupting critical real-time communication channels within the organization.

Remediation

Immediate Action: Upgrade Centrifugo to version 6.8.4 or later to apply the necessary patches for compressed data handling.

Proactive Monitoring: Monitor system resource usage, specifically CPU and memory spikes, which may indicate attempts to exploit data amplification vulnerabilities.

Compensating Controls: Implement strict request size limits at the network edge or via a reverse proxy to mitigate the impact of abnormally large or highly compressed payloads.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability represents a significant stability risk to real-time messaging infrastructure. Administrators should prioritize the update to version 6.8.4 to ensure the server correctly sanitizes and processes compressed data, thereby closing the amplification vector.